Am 29. Jul, 2016 schwätzte Tom Roche so:
moin moin,
and how many fingerprints can be replicated from people waving during a
selfie?
Cop shows demonstrate all the time that fingerprints and DNA are pretty
easy to come by without even having to resort to the enhance button.
In both cases, rotating them on a regular basis is a dangerous and
expensive process.
ciao,
der.hans
Following the recent deprecation of 2FA over SMS (thread head here[1]), I was interested
to note this NPR article[2] (dated 'July 27, 2016 2:34 PM ET'): "Police Use
Fingertip Replicas To Unlock A Murder Victim's Phone". Basically, a team @ Michigan
State University found a way to replicate a fingerprint good enough to unlock a phone. 3
things I noted:
1. The two-part approach that worked (after 2 previous fails) doesn't seem that hard to
replicate. The MSU team enhanced previously-taken, plain-old-fashioned fingerprints, then
printed the enhancements with conductive ink. One suspects this will be off-the-shelf
before too long. Combine that with the following observations (file under
"ISTM/ICBW") that
* there's a lot more fingerprinting "going on out there." E.g., I'm pretty sure
I was required to give fingerprints as part of my EPA clearance. (I.e., what one does in
order to gain access to ... scientific compute clusters.)
* fingerprints aren't that hard to take, given an item handled at (e.g.) a
workplace or restaurant.
2. What surprised me more is, under current law (sorta--caveat below) something like a password (an
"expression") is not subject to "force compulsion," but ...
"The Smartphone versus the Fifth Amendment," Berkeley Technology Law Journal,
21 Dec 2014[3]
in the aftermath of Virginia v. Baust, many smartphone users may soon
reconsider their reliance on fingerprint ID technology.
In October [2014], a Virginia trial judge ruled [in Virginia v. Baust] that unlike a
passcode, the production of one's fingerprint is not "testimonial
communication", and therefore, the Fifth Amendment privilege against
self-incrimination cannot be invoked. Rather, the government may properly compel the
production of a smartphone user's fingerprint to unlock the user's device. This force
compulsion would ostensibly extend to any applications within a device that can be opened
via fingerprint.
However,
As a trial court, the ruling in Virginia v. Baust is not mandatory law.
However, as with any early caselaw in a novel and undeveloped area of the law,
this opinion will likely be cited as a persuasive authority.
IANAL, so I don't know of subsequent use, or even how to search the case law
for it.
3. I'd be interested to know is, would a hardware key (e.g., SecurID, YubiKey)
be considered compellable or not? Either way, for 2FA purposes currently,
4. ... I'd hafta agree with Ed[4] that password+key beats password+SMS.
5. ... ISTM password+key beats password+fingerprint to the extent that (IIUC) a
duplicate key will be harder to hack than a fingerprint for the forseeable
future. Am I missing something?
FWIW, Tom Roche <[email protected]>
[1]: http://lists.phxlinux.org/lurker/message/20160727.071321.f24aaba8.en.html
[2]:
http://www.npr.org/sections/alltechconsidered/2016/07/27/487605182/police-use-fingertip-replicas-to-unlock-a-murder-victims-phone
[3]: http://btlj.org/2014/12/the-smartphone-versus-the-fifth-amendment/
[4]: http://lists.phxlinux.org/lurker/message/20160729.055043.2f7884f4.en.html
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
--
# http://www.LuftHans.com/ http://www.PhxLinux.org/
# Very frankly, I am opposed to people being programmed by others.
# -- Fred Rogers, aka Mr. Rogers (1928-2003)
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
